A plugin can spawn arbitrary processes so if neovim is not started in a sandbox (container, namespace, firejail...) they can basically do whatever your user has the right to do.

Pretty big supply chain risks here.

neovim (vim) plugins can make web requests, so you could steal secrets from a .env file being edited by, for example, making a LSP plugin active for .env files? According to my limited knowledge of LSP and how neovim plugins work, it should be possible

Could also just phone home everything a user edits using the text editor I bet.

Can someone tell me, when someone has a terminal buffer, using a vim plugin, could you potentially steal their root password when a user runs a sudo command?

And following up, could you, using that password, allow SSH connections and open ports in other system config files? Disable firewall? And potentially execute other commands using `:!` ?

Anything a user application can do

Good catch, you are correct. I initially was going post the actual command for checking out a branch at a time:

> git checkout $(git rev-list -1 --before="YYYY-MM-DD" master)

but thought I found a shortcut - which turns out is not really one, and like you said: confusing.

I can't edit my post, but in any case; the point being: it would be nice if import statements are closer to "github.com/google/uuid@YYYY-MM-DD" or in this case you can pass a date to version: "YYYY-MM-DD" and the library would run the uglier nested command above to import the proper version.

Dates make pinning easier than looking up a SHA